Keeping Clients' Information Safe

A survey from the North American Securities
Administrators Association (NASAA) asked state-registered small and mid-sized
investment adviser firms how they use websites and technology, such as tablets
and other mobile devices, to connect with clients—and keep their clients’
information safe.

Advisory firms are increasingly using
technology to communicate with their clients and to access client data. Of the
440 advisers in nine states who responded to the survey, nine in ten firms
(92%) use email to contact clients, and 85% use other electronic devices—such as
computers, smartphones, tablets, etc.—to access client information. Still, only
54% reported using secure email, and a similar number (56.7%) have procedures
in place to authenticate any client instructions the firm receives via email or
other electronic messaging.

Two-thirds (66%) reported that 3% or less of
their firm’s overall expenses was directly related to information technology
security, and more than one-third (37%) claim their firm does not conduct risk
assessments to identify potential threats, vulnerabilities and consequences. Of
those who do, only 10% conduct such assessments on a weekly basis, while 40%
perform their reviews annually.

Nearly half of responding firms (46%) said
they do not apply encryption to their files or devices, and of those who do,
one-third (32%) do not require that software to be applied universally across
all electronic devices used to access client information.

Perhaps this behavior stems from a lack of a
perceived threat to advisory firms: Just 4.1% reported a “cybersecurity
incident,” while1.1% admitted their firm has, directly or indirectly,
experienced theft, loss, unauthorized exposure, or unauthorized access to or
use of client information. (Still, 6% did not respond to that question.)

One-quarter (25%) of firms said they do not
have a website, and just over half of respondents (51%) said that their firm’s
website does not include a client portal. Two-thirds (66%) do not utilize the
firm’s website to use or access client information data.

The advisory firms reported on the technology-related
procedures or training programs they currently maintain:

44.6% have a policy addressing cybersecurity;

47.4%, the disposal of electronic data
storage devices;

39.2%, loss of electronic devices; and

38.0%, detecting unauthorized activity on
your networks or devices.

More than one-fifth (23.1%) even said their
firm has no procedures relating to any technology issues. If advisers are not
concerned about their data security, the report finds they may be more focused
on another aspect of their online services: The most common issue for which
firms have established such a program or procedure is social media. More than
half (50.9%) reported policies relating to the use of LinkedIn, Twitter,
Facebook, etc. for business purposes.